WatchGuard has released urgent security updates for its Firebox firewall devices to fix a critical vulnerability, CVE-2025-9242. This flaw could allow remote attackers to execute malicious code on devices that are configured with IKEv2 VPN.
What the Vulnerability Does
The flaw is a dangerous "out-of-bounds write" weakness in the Fireware OS's iked process, which handles VPN connections. It affects Firebox devices running Fireware OS versions 11.x, 12.x, and the 2025.1 series.
The vulnerability's CVSS score is 9.3, which is a very high severity. An unauthenticated remote attacker can exploit it to gain full control of the firewall and the network it protects. Both mobile and branch office VPNs that use IKEv2 are at risk, especially if they use dynamic gateway peers. Even if the vulnerable IKEv2 VPN settings have been removed, the firewall remains at risk if it has a branch office VPN connection to a static gateway peer.
How to Stay Safe
WatchGuard is strongly urging all Firebox users to update to a patched version immediately. The company has released fixes in the following versions:
- 12.3.1_Update3 (B722811)
- 12.5.13 (for T15 & T35 models)
- 12.11.4
- 2025.1.1
WatchGuard noted that Fireware OS 11.x is at the end of its life and will not receive any further updates.
Temporary Workaround
For administrators who cannot apply the patch immediately, WatchGuard has provided a temporary workaround. This involves disabling dynamic peer VPNs, creating a firewall alias for trusted IP addresses, and adding new firewall policies to permit VPN traffic only from those trusted addresses. By doing this, they can turn off the default system VPN policies that allow all incoming VPN connections.
WatchGuard advises all users to prioritize applying the security updates without delay to protect against this dangerous vulnerability.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
